The Hacker News — Cyber Security, Hacking, Technology News

Instagram has recently suffered a possibly serious data breach with hackers gaining access to the phone numbers and email addresses for many "high-profile" users.

The 700 million-user-strong, Facebook-owned photo sharing service has currently notified all of its verified users that an unknown hacker has accessed some of their profile data, including email addresses and phone numbers, using a bug in Instagram.

The flaw actually resides in Instagram's application programming interface (API), which the service uses to communicate with other apps.

Although the company did not reveal any details about the Instagram's API flaw, it assured its users that the bug has now been patched and its security team is further investigating the incident.

"We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users' contact information—specifically email address and phone number—by exploiting a bug in an Instagram API," Instagram said in a statement.

"No account passwords were exposed. We fixed the bug swiftly and are running a thorough investigation."

Instagram declined to name the high-profile users targeted in the breach, but the news comes two days after some unknown hacker hijacked most followed Instagram account belonged to Selena Gomez and posted her ex-boyfriend Justin Bieber's nude photographs.

Selena's Instagram account with over 125 Million followers was restored later in the day and the photos were removed.

However, Instagram did not mention if the recent data breach was related to Selena's hacked account.

With email addresses and phone numbers in their hands, the hackers next step could be used the information in tandem with social engineering techniques in an effort to gain access to verified users' Instagram accounts to embarrass them.

The company notified all verified users of the issue via an email and also encouraged them to be cautious if they receive suspicious or unrecognised phone calls, text messages, or emails.

Instagram users are also highly recommended to enable two-factor authentication on your accounts and always secure your accounts with a strong and different password.

Also, avoid clicking on any suspicious link or attachment you received via an email and providing your personal or financial information without verifying the source properly.

This is probably the most frequently asked question nowadays, and there are several applications available on Google Play Store and Apple App Store, which claims to offer you the opportunity to see who is looking at your Instagram profile.

But, should we believe them?

Is there really some kind of way out to know who viewed your Instagram profile?

The shortest answer to all these questions is 'NO', such functionality does not exist on Instagram at the moment.

But, thousands of users still have hope and hackers are taking advantage of this to target a broad audience.

Recently, security researchers have discovered some malicious applications on Android Google Play Store as well as iOS App Store, which are entirely a hoax, targeting Instagram users.

The iOS app is named "InstaCare - Who cares with me?" and is one of the top apps in Germany, while the Android app is dubbed "Who Viewed Me on Instagram" that has more than 100,000 downloads and 20,000 reviews.

Both the apps are developed by Turker Bayram – the same developer who created the malicious "InstaAgent" app for Android and iOS platform late last year that secretly stole users’ Instagram credentials.

The recent applications by Bayram also have the same functionality, luring Instagram users into believing that the app would let them know who viewed their profile. The app claims to:

The malicious apps abuse the authentication process to connect to Instagram and steal user's Instagram username and password, according to a blog post published by David Layer-Reiss from Peppersoft.

Since third party applications use API to authenticate themselves with the legitimate apps, users generally provide their same credentials to authenticate with different applications and services.

Here's How an App Can Hack Your Instagram Accounts

Today, it is quite easy for hackers to target large audience – Just abuse the name of a popular application and give users option beyond the legitimate one.

Users will simply provide their critical data, including their credentials, without knowing its actual consequences.

Once users install 'InstaCare' or 'Who Viewed Me on Instagram' on their iOS or Android device, they are immediately served a login window that forced victims to log in with their Instagram credentials.

Since the apps advertise itself to show you who viewed your Instagram profile, most users fall victim to the apps and enter their account credentials without a second thought.

The usernames and passwords are then encrypted and sent to the attacker's server. The attacker will then use those credentials later to secretly log on and take full control of the hacked Instagram accounts and post spams on the user's behalf.

Security researchers from Kaspersky Labs also confirmed David's findings. You can refer Kaspersky's blog post for more technical details on the malicious apps.

At the time of writing, neither Apple nor Google has removed the malicious apps from their official App Stores, which means that the malicious apps are still available to users for download.

It's not at all surprising that the play stores are surrounded by a number of malicious apps that may gain users' attention to fall victim for one.

But, the fact that both Apple and Google got fooled again by the same developer shows how hard it is to keep an eye on a developer who already published a malicious app and to manage the app stores in a secure manner.

Here's How to Protect Yourself

If you've already installed one of these apps and have now seen the error of your ways, and remove the culprit from your apps list too.

So if you have already fallen victim to this scam, hurry up!

Uninstall the apps mentioned above from your smartphone if you have one.

Your Instagram is not as Private as You Think. Millions of private Instagram photos may have been exposed publicly on the web until the company patched a privacy hole this weekend.

Instagram team was unaware of a security vulnerability from long time which allowed anyone with access to an image’s URL to view the photo, even those shared by users whose accounts are set to “private.”

In other words, If a private user shares an Instagram post with another service, such as Twitter or Facebook as part of the upload process, that shared photo will remain viewable to the public despite its privacy settings.

The flaw was first reported by David Yanofsky at Quartz and Instagram acknowledged the issue last week before patching the flaw. In a statement to Quartz, an Instagram representative said:

'If you choose to share a specific piece of content from your account publicly, that link remains public but the account itself is still private,'

The Instagram vulnerability was only exploitable on the web, not in Instagram’s iOS and Android apps.

'In response to feedback, we made an update so that if people change their profile from public to private, web links that are not shared on other services are only viewable to their followers on Instagram.'

Even with the loophole closed, anyone can still able to share your images online without your permission by viewing the page source, or by taking a screenshot.

Though the such privacy flaw or any other potential controversy could have an impact on parent company Facebook.